MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1550.004: Web Session Cookie

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie or Web Cookies, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_lateral_movement: PT-CR-1927: Start_Browser_Pivoting: A browser was started with remote debugging enabled, which can be used to forward traffic to an attacker's machine
mitre_attck_lateral_movement: PT-CR-1928: Subrule_Browser_Remote_Debugging: Attempt to start a browser with remote debugging enabled, which can be used to forward traffic to an attacker's machine

Detection

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor for third-party application logging, messaging, and/or other service artifacts that provide context of user authentication to web applications, including cloud-based services. Combine this information with web credentials usage events to identify authentication events that do not fit the organization baseline.

IDDS0006Data source and componentWeb Credential: Web Credential UsageDescription

Monitor for anomalous access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.

Mitigation

IDM1054NameSoftware ConfigurationDescription

Configure browsers or tasks to regularly delete persistent cookies.